How to safeguard critical infrastructure against cyber attacks
Mehmet Öğütçü - H. Avni Aksoy*
Turkey’s recent power blackout, whatever the real reasons are, has been a powerful reminder of how vulnerable we are to a potentially massive, unexpected infrastructure collapse. It should be viewed as a wake-up call to prompt our government, military and businesses to have a hard look at how we should prepare ourselves to counter this 21st century, asymmetrical threat to our economy, business, society and national security.If the power out(r)age in Turkey was indeed a technical glitch, then there is no doubt that the existing systems should be made more reliable and those in charge of the systems better trained and equipped. If it was a result of a deliberate action by a malicious party, then, again, the systems should be made more reliable and less prone/vulnerable to attacks, cyber or otherwise. Hence, a vigorous effort is needed – drastically different than our traditional defense against any known security threat to date.
It is inconceivable to presume that the authorities did not take countermeasures to ensure the reliability of critical infrastructure. They have no doubt assessed the risks and possible threats that could compromise the system – not only in energy, which is the backbone of our lives, but also in financial services, telecoms and military defense systems. However, this latest event demonstrated our soft belly and that the risks lie elsewhere, where nobody looked and/or made an effort to take relevant precautions.
Cyber attacks – the deliberate targeting for purposes of stealing, compromising or destroying or denying access to data stored on computer information systems – is a 21st-century reality and thus a national security priority for governments and a critical risk for companies. They can possibly inflict on targets and victims high cost, disruptive attacks at little or no risk of retaliation.
The security risks that emerge from a plethora of technological advances and information sharing will only increase, becoming more sophisticated and damaging over time. Of specific interest to attackers are the industrial control systems that operate mission and safety critical infrastructures such as oil and gas drilling; production refining; electricity generation, transmission and distribution; and potable and waste-water networks.
Many critical entities in Turkey – and indeed around the world – have neither serious plans nor adequate planning. Some threat vectors are easy to predict, such as a terrorist attack on physical infrastructure. Natural disasters are less easy to predict but can be prepared for. However, the least predictable threats come from the virtual world. The famous Stuxnet worm has taught the IT world that even off-line systems have exploitable vulnerabilities.
Those carrying out cyber attacks can be hostile governments, ideologically motivated individuals, those representing various corporate entities and “lone wolf” or small groups who prey upon vulnerable hardware and software, often so that they can blackmail the target entity. They represent an asymmetric warfare that targets governments, companies, military and citizens.
It’s not just the big enterprises and governments that need to worry; cyber criminals are constantly looking to exploit the weakest link in any industry and organization. They are very effective weapons for terrorists and hackers seeking to instill fear in general population, making them doubt their governments’ ability to govern.
Even if control of the cyber world is unachievable, the threats it harbors can be mitigated and risks effectively managed. Countermeasures can significantly increase data security. Some of these include, but are not limited to, access control and authorization, awareness training, audit and accountability, risk and security assessment, penetration testing and vulnerability management.
The first step is to better understand the security risk, improve and maintain security, and respond quickly and effectively to incidents. It is our belief that cyber security requires the commitment and support of C-suite and government leaders, not only that of IT managers.
The cyber attacks are only one side of the medallion. There is the business and government continuity and making sure that, in the face of ever evolving threats, “business as usual” can go on. In the end, it all comes down to the human factor. Humans design the systems, humans seek the vulnerabilities, humans erect defenses and humans betray the weaknesses.
To be sure, cyber crime is real, costly and here to stay. Therefore, in recognizing this reality we have to live with, it pays to be prepared and educated professionally to develop long-term security and business resiliency, enabling foresight about cyber threats and forearm ourselves to prevent harm (and if it comes to that, recover) our operations quickly and at reasonable cost.
*Mehmet Öğütçü is chairman of the London-based Global Resources Partnership Group. Hüseyin Avni Aksoy is an ambassador at the Turkish diplomatic service.